On 13.12.2013 15:21, Emmanuel Thierry wrote:
Hello
(First time posting on this ML)
After several months of waiting, i'm testing DNSSEC deployment with some on my
domains, using opendnssec software.
However, some principles still are hard to envision for dummies, especially
time schedules.
As an example, RFC 6781 shows a very clear timeline on section 4.4.2.2 about
signature validity. But it miss it for any other operation (KSK or ZSK
rollover, DS publication in the parent zone, ...). Concretely, it implies that
system administrators who are not DNSSEC experts may have a lot trouble to
understand what exactly mean each configuration parameters in softwares stick
really tightly to RFC 6781 such as opendnssec. In consequence, DNSSEC
configuration looks like black magic that will work (because software is made
to do so) but we don't know why...
In my very specific case, i don't understand which of my parameters makes the KSK to take
one day to be considered as "published" when my zones TTL are set to 3600.
Maybe you have configured a long "propagation delay".
See https://wiki.opendnssec.org/display/DOCS/kasp.xml
Does material exists to explicit graphically (in an ideal way) each specific
key and DNSSEC records life cycle, in the same manner of section 4.4.2.2 ?
Have you checked:
https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03
regards
Klaus
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
